Nov 08 2017

Losses due to recent strains of ransomware; Option A= $62million? or Option B = $310million?

Both sound like bad options, but the choice is obvious.

The recent reports of “Bad Rabbit” attacks have put ransomware top of mind in the cybersecurity world. Bad Rabbit is certainly not the first of its kind; in fact, it’s not even the first this year. The ransomware dubbed “Petya” was first discovered in 2016 and morphed into the still more dangerous “NotPetya” in March of 2017. NotPetya wreaked havoc for thousands of users worldwide, taking advantage of weaknesses in software packages.

Some of the more notable companies affected by NotPetya included Merck, FedEx, and Maersk. Since June, recovery from NotPetya has cost Merck more than $310 million, and they are not alone. FedEx and Maersk suffered losses of $300 million and $200 million respectively. The information shared by Merck and others also demonstrates how long it can take to truly recover from a ransomware attack. NotPetya only infected Merck for about a week, but it has taken them months to recover. In fact, CFO Robert Davis reported that loss of sales as a result of the attack would still be evident in the company’s fourth quarter results.

As companies become more transparent with the effect ransomware has had on their bottom lines, it becomes more evident how crucial it is to have a budget in place for cybersecurity measures. With the end of 2017 fast approaching, 2018 budget deliberations could easily include considerations for cybersecurity planning. Taking small steps to begin preparing your company for the increasing likelihood of cyber attack can pay off tenfold in the event of an attack.

According to Gartner research, as far back as 2013 they estimated there is 1 to 5 ratio on proactive vs reactive spend. For every $5 spent on a breach, an organization could have spent $1 on preparation instead. For Merck that means $62M spent on proactive defense could have mitigated $310M in recovery costs. If that’s close to being in the ballpark, that’s still a remarkable difference. Again, either option sounds bad, but the choice is clear. For big companies, it’s a choice of what to spend. For companies in the SMB space, it’s a choice on whether they go out of business or not.

The New Norm for cyber risk planning is here. It’s time to get started.